CVE-2026-20609 is a memory handling vulnerability classified under CWE-125 (Out-of-bounds Read) affecting Apple’s iOS, iPadOS, macOS, tvOS, visionOS, and watchOS platforms. The vulnerability arises when the operating system processes a maliciously crafted file, which can lead to a denial-of-service (DoS) condition or potentially allow an attacker to read sensitive memory contents. This could expose confidential information residing in memory, although the vulnerability does not impact data integrity. The flaw requires user interaction, such as opening or processing the malicious file, and does not require elevated privileges, but the attack vector is local (AV:L), meaning the attacker must have access to the device or trick the user into opening the file. Apple addressed this issue by improving memory handling routines, releasing patches in iOS 18.7.5, iPadOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3. No public exploits have been reported, indicating limited active exploitation. The vulnerability’s CVSS 3.1 base score is 4.4, reflecting medium severity due to the limited attack vector and required user interaction. The vulnerability’s impact is primarily on confidentiality and availability, with no integrity impact. The issue was reserved in November 2025 and published in February 2026, showing a timely patch response from Apple.

The vulnerability poses a risk of denial-of-service, which can disrupt device availability, potentially impacting users who rely on Apple devices for critical communications and operations. The potential disclosure of memory contents could lead to leakage of sensitive information such as credentials, encryption keys, or personal data, undermining confidentiality. While exploitation requires user interaction and local access, targeted attacks against high-value individuals or organizations could leverage this flaw for information gathering or disruption. Enterprises with large Apple device deployments, especially in sectors like finance, healthcare, and government, could face operational impacts and data exposure risks. The absence of known exploits reduces immediate widespread threat but does not eliminate the risk of future exploitation. The vulnerability affects a broad range of Apple platforms, increasing the scope of potential impact across mobile, desktop, and emerging device categories like visionOS and watchOS.

Organizations and users should prioritize updating affected Apple devices to the patched versions: iOS and iPadOS 18.7.5 and 26.3, macOS Sequoia 15.7.4, Sonoma 14.8.4, Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3. Restricting the opening of files from untrusted or unknown sources can reduce exposure to maliciously crafted files. Employ device management policies to enforce timely OS updates and restrict installation of unauthorized applications or files. Educate users on the risks of opening suspicious files and encourage cautious behavior regarding unsolicited attachments or downloads. Implement network-level protections to detect and block delivery of malicious files where possible. For high-security environments, consider additional monitoring for abnormal application crashes or memory access patterns that could indicate exploitation attempts. Regularly review and audit device configurations to ensure compliance with security best practices.